1syslogd_selinux(8)          SELinux Policy syslogd          syslogd_selinux(8)
2
3
4

NAME

6       syslogd_selinux  -  Security Enhanced Linux Policy for the syslogd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  syslogd  processes  via  flexible
11       mandatory access control.
12
13       The  syslogd processes execute with the syslogd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep syslogd_t
20
21
22

ENTRYPOINTS

24       The  syslogd_t  SELinux type can be entered via the syslogd_exec_t file
25       type.
26
27       The default entrypoint paths for the syslogd_t domain are  the  follow‐
28       ing:
29
30       /sbin/syslogd,    /sbin/minilogd,    /sbin/rsyslogd,   /sbin/syslog-ng,
31       /usr/sbin/metalog,        /usr/sbin/syslogd,        /usr/sbin/minilogd,
32       /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-jour‐
33       nald, /usr/lib/systemd/systemd-kmsg-syslogd
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       syslogd policy is very flexible allowing users to setup  their  syslogd
43       processes in as secure a method as possible.
44
45       The following process types are defined for syslogd:
46
47       syslogd_t
48
49       Note:  semanage permissive -a syslogd_t can be used to make the process
50       type syslogd_t permissive. SELinux does not deny access  to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access required.  syslogd
57       policy is extremely flexible and has several booleans that allow you to
58       manipulate the policy and run syslogd with the tightest  access  possi‐
59       ble.
60
61
62
63       If you want to allow all domains to execute in fips_mode, you must turn
64       on the fips_mode boolean. Enabled by default.
65
66       setsebool -P fips_mode 1
67
68
69
70       If you want to allow confined applications to run  with  kerberos,  you
71       must turn on the kerberos_enabled boolean. Disabled by default.
72
73       setsebool -P kerberos_enabled 1
74
75
76
77       If  you want to allow syslogd daemon to send mail, you must turn on the
78       logging_syslogd_can_sendmail boolean. Disabled by default.
79
80       setsebool -P logging_syslogd_can_sendmail 1
81
82
83
84       If you want to allow syslogd the ability to call nagios plugins. It  is
85       turned  on  by omprog rsyslog plugin, you must turn on the logging_sys‐
86       logd_run_nagios_plugins boolean. Disabled by default.
87
88       setsebool -P logging_syslogd_run_nagios_plugins 1
89
90
91
92       If you want to allow syslogd the ability to read/write  terminals,  you
93       must turn on the logging_syslogd_use_tty boolean. Enabled by default.
94
95       setsebool -P logging_syslogd_use_tty 1
96
97
98

PORT TYPES

100       SELinux defines port types to represent TCP and UDP ports.
101
102       You  can  see  the  types associated with a port by using the following
103       command:
104
105       semanage port -l
106
107
108       Policy governs the access  confined  processes  have  to  these  ports.
109       SELinux  syslogd  policy is very flexible allowing users to setup their
110       syslogd processes in as secure a method as possible.
111
112       The following port types are defined for syslogd:
113
114
115       syslog_tls_port_t
116
117
118
119       Default Defined Ports:
120                 tcp 6514,10514
121                 udp 6514,10514
122
123
124       syslogd_port_t
125
126
127
128       Default Defined Ports:
129                 tcp 601,20514
130                 udp 514,601,20514
131

MANAGED FILES

133       The SELinux process type syslogd_t can manage files  labeled  with  the
134       following file types.  The paths listed are the default paths for these
135       file types.  Note the processes UID still need to have DAC permissions.
136
137       cluster_conf_t
138
139            /etc/cluster(/.*)?
140
141       cluster_var_lib_t
142
143            /var/lib/pcsd(/.*)?
144            /var/lib/cluster(/.*)?
145            /var/lib/openais(/.*)?
146            /var/lib/pengine(/.*)?
147            /var/lib/corosync(/.*)?
148            /usr/lib/heartbeat(/.*)?
149            /var/lib/heartbeat(/.*)?
150            /var/lib/pacemaker(/.*)?
151
152       cluster_var_run_t
153
154            /var/run/crm(/.*)?
155            /var/run/cman_.*
156            /var/run/rsctmp(/.*)?
157            /var/run/aisexec.*
158            /var/run/heartbeat(/.*)?
159            /var/run/corosync-qnetd(/.*)?
160            /var/run/corosync-qdevice(/.*)?
161            /var/run/corosync.pid
162            /var/run/cpglockd.pid
163            /var/run/rgmanager.pid
164            /var/run/cluster/rgmanager.sk
165
166       logfile
167
168            all log files
169
170       root_t
171
172            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
173            /
174            /initrd
175
176       security_t
177
178            /selinux
179
180       syslogd_tmpfs_t
181
182
183       syslogd_var_lib_t
184
185            /var/lib/r?syslog(/.*)?
186            /var/lib/syslog-ng(/.*)?
187            /var/lib/syslog-ng.persist
188            /var/lib/misc/syslog-ng.persist-?
189
190       syslogd_var_run_t
191
192            /var/run/log(/.*)?
193            /var/run/syslog-ng.ctl
194            /var/run/syslog-ng(/.*)?
195            /var/run/systemd/journal(/.*)?
196            /var/run/metalog.pid
197            /var/run/syslogd.pid
198
199       systemd_bootchart_tmpfs_t
200
201
202       systemd_coredump_tmpfs_t
203
204
205

FILE CONTEXTS

207       SELinux requires files to have an extended attribute to define the file
208       type.
209
210       You can see the context of a file using the -Z option to ls
211
212       Policy  governs  the  access  confined  processes  have to these files.
213       SELinux syslogd policy is very flexible allowing users to  setup  their
214       syslogd processes in as secure a method as possible.
215
216       EQUIVALENCE DIRECTORIES
217
218
219       syslogd  policy  stores data with multiple different file context types
220       under the /var/lib/syslog-ng directory.  If you would like to store the
221       data  in a different directory you can use the semanage command to cre‐
222       ate an equivalence mapping.  If you wanted to store this data under the
223       /srv directory you would execute the following command:
224
225       semanage fcontext -a -e /var/lib/syslog-ng /srv/syslog-ng
226       restorecon -R -v /srv/syslog-ng
227
228       syslogd  policy  stores data with multiple different file context types
229       under the /var/run/syslog-ng directory.  If you would like to store the
230       data  in a different directory you can use the semanage command to cre‐
231       ate an equivalence mapping.  If you wanted to store this data under the
232       /srv directory you would execute the following command:
233
234       semanage fcontext -a -e /var/run/syslog-ng /srv/syslog-ng
235       restorecon -R -v /srv/syslog-ng
236
237       STANDARD FILE CONTEXT
238
239       SELinux  defines  the file context types for the syslogd, if you wanted
240       to store files with these types in a diffent paths, you need to execute
241       the  semanage  command  to  sepecify  alternate  labeling  and then use
242       restorecon to put the labels on disk.
243
244       semanage  fcontext  -a  -t   syslogd_unit_file_t   '/srv/mysyslogd_con‐
245       tent(/.*)?'
246       restorecon -R -v /srv/mysyslogd_content
247
248       Note:  SELinux  often  uses  regular expressions to specify labels that
249       match multiple files.
250
251       The following file types are defined for syslogd:
252
253
254
255       syslogd_exec_t
256
257       - Set files with the syslogd_exec_t type, if you want to transition  an
258       executable to the syslogd_t domain.
259
260
261       Paths:
262            /sbin/syslogd,  /sbin/minilogd,  /sbin/rsyslogd,  /sbin/syslog-ng,
263            /usr/sbin/metalog,     /usr/sbin/syslogd,      /usr/sbin/minilogd,
264            /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-
265            journald, /usr/lib/systemd/systemd-kmsg-syslogd
266
267
268       syslogd_initrc_exec_t
269
270       - Set files with the syslogd_initrc_exec_t type, if you want to transi‐
271       tion an executable to the syslogd_initrc_t domain.
272
273
274
275       syslogd_tmp_t
276
277       -  Set  files with the syslogd_tmp_t type, if you want to store syslogd
278       temporary files in the /tmp directories.
279
280
281
282       syslogd_tmpfs_t
283
284       - Set files with the syslogd_tmpfs_t type, if you want to store syslogd
285       files on a tmpfs file system.
286
287
288
289       syslogd_unit_file_t
290
291       - Set files with the syslogd_unit_file_t type, if you want to treat the
292       files as syslogd unit content.
293
294
295
296       syslogd_var_lib_t
297
298       - Set files with the syslogd_var_lib_t type, if you want to  store  the
299       syslogd files under the /var/lib directory.
300
301
302       Paths:
303            /var/lib/r?syslog(/.*)?,  /var/lib/syslog-ng(/.*)?,  /var/lib/sys‐
304            log-ng.persist, /var/lib/misc/syslog-ng.persist-?
305
306
307       syslogd_var_run_t
308
309       - Set files with the syslogd_var_run_t type, if you want to  store  the
310       syslogd files under the /run or /var/run directory.
311
312
313       Paths:
314            /var/run/log(/.*)?,    /var/run/syslog-ng.ctl,    /var/run/syslog-
315            ng(/.*)?,  /var/run/systemd/journal(/.*)?,   /var/run/metalog.pid,
316            /var/run/syslogd.pid
317
318
319       Note:  File context can be temporarily modified with the chcon command.
320       If you want to permanently change the file context you need to use  the
321       semanage fcontext command.  This will modify the SELinux labeling data‐
322       base.  You will need to use restorecon to apply the labels.
323
324

COMMANDS

326       semanage fcontext can also be used to manipulate default  file  context
327       mappings.
328
329       semanage  permissive  can  also  be used to manipulate whether or not a
330       process type is permissive.
331
332       semanage module can also be used to enable/disable/install/remove  pol‐
333       icy modules.
334
335       semanage port can also be used to manipulate the port definitions
336
337       semanage boolean can also be used to manipulate the booleans
338
339
340       system-config-selinux is a GUI tool available to customize SELinux pol‐
341       icy settings.
342
343

AUTHOR

345       This manual page was auto-generated using sepolicy manpage .
346
347

SEE ALSO

349       selinux(8), syslogd(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
350       icy(8), setsebool(8)
351
352
353
354syslogd                            21-03-26                 syslogd_selinux(8)
Impressum